Network Working Group E. Nordmark
Request for Comments: 4218 Sun Microsystems
Category: Informational T. Li
October 2005
Threats Relating to IPv6 Multihoming Solutions
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2005).
Abstract
This document lists security threats related to IPv6 multihoming.
Multihoming can introduce new opportunities to redirect packets to
different, unintended IP addresses.
The intent is to look at how IPv6 multihoming solutions might make
the Internet less secure; we examine threats that are inherent to all
IPv6 multihoming solutions rather than study any specific proposed
solution. The threats in this document build upon the threats
discovered and discussed as part of the Mobile IPv6 work.
Table of Contents
1. Introduction ....................................................2
1.1. Assumptions ................................................3
1.2. Authentication, Authorization, and Identifier Ownership ....4
2. Terminology .....................................................5
3. Today's Assumptions and Attacks .................................6
3.1. Application Assumptions ....................................6
3.2. Redirection Attacks Today ..................................8
3.3. Packet Injection Attacks Today .............................9
3.4. Flooding Attacks Today ....................................10
3.5. Address Privacy Today .....................................11
4. Potential New Attacks ..........................................13
4.1. Cause Packets to Be Sent to the Attacker ..................13
4.1.1. Once Packets Are Flowing ...........................13
4.1.2. Time-Shifting Attack ...............................14
4.1.3. Premeditated Redirection ...........................14
4.1.4. Using Replay Attacks ...............................15
Nordmark & Li Informational [Page 1]RFC 4218 Threats to IPv6 Multihoming Solutions October 2005
4.2. Cause Packets to Be Sent to a Black Hole ..................15
4.3. Third Party Denial-of-Service Attacks .....................16
4.3.1. Basic Third Party DoS ..............................17
4.3.2. Third Party DoS with On-Path Help ..................18
4.4. Accepting Packets from Unknown Locators ...................19
4.5. New Privacy Considerations ................................20
5. Granularity of Redirection .....................................20
6. Movement Implications? .........................................22
7. Other Security Concerns ........................................23
8. Security Considerations ........................................24
9. Acknowledgements ...............................................24
10. Informative References ........................................25
Appendix A: Some Security Analysis ................................27
1. Introduction
The goal of the IPv6 multihoming work is to allow a site to take
advantage of multiple attachments to the global Internet, without
having a specific entry for the site visible in the global routing
table. Specifically, a solution should allow hosts to use multiple
attachments in parallel, or to switch between these attachment points
dynamically in the case of failures, without an impact on the
transport and application layer protocols.
At the highest level, the concerns about allowing such "rehoming" of
packet flows can be called "redirection attacks"; the ability to
cause packets to be sent to a place that isn't tied to the transport
and/or application layer protocol's notion of the peer. These
attacks pose threats against confidentiality, integrity, and
availability. That is, an attacker might learn the contents of a
particular flow by redirecting it to a location where the attacker
has a packet recorder. If, instead of a recorder, the attacker
changes the packets and then forwards them to the ultimate
destination, the integrity of the data stream would be compromised.
Finally, the attacker can simply use the redirection of a flow as a
denial of service attack.
This document has been developed while considering multihoming
solutions architected around a separation of network identity and
network location, whether or not this separation implies the
introduction of a new and separate identifier name space. However,
this separation is not a requirement for all threats, so this